From: ManifestationSubject: Security holes manifest themselves in (broadly) four ways...Date: 11.10.93( Please contribute by sending E-Mail to <scott@santafe.edu> ... )[quoting from the comp.security.unix FAQ]Security holes manifest themselves in (broadly) four ways:1) Physical Security Holes.- Where the potential problem is caused by giving unauthorised personsphysical access to the machine, where this might allow them to performthings that they shouldn't be able to do.A good example of this would be a public workstation room where it wouldbe trivial for a user to reboot a machine into single-user mode and muckaround with the workstation filestore, if precautions are not taken.Another example of this is the need to restrict access to confidentialbackup tapes, which may (otherwise) be read by any user with access tothe tapes and a tape drive, whether they are meant to have permission ornot.2) Software Security Holes- Where the problem is caused by badly written items of "privledged"software (daemons, cronjobs) which can be compromised into doing thingswhich they shouldn't oughta.The most famous example of this is the "sendmail debug" hole (seebibliography) which would enable a cracker to bootstrap a "root" shell.This could be used to delete your filestore, create a new account, copyyour password file, anything.(Contrary to popular opinion, crack attacks via sendmail were not justrestricted to the infamous "Internet Worm" - any cracker could do thisby using "telnet" to port 25 on the target machine.  The story behind asimilar hole (this time in the EMACS "move-mail" software) is describedin [Stoll].)New holes like this appear all the time, and your best hopes are to:  a: try to structure your system so that as little software as possible  runs with root/daemon/bin privileges, and that which does is known to  be robust.  b: subscribe to a mailing list which can get details of problems  and/or fixes out to you as quickly as possible, and then ACT when you  receive information.>From: Wes Morgan <morgan@edu.uky.ms>>> c: When installing/upgrading a given system, try to install/enable only> those software packages for which you have an immediate or foreseeable> need.  Many packages include daemons or utilities which can reveal> information to outsiders.  For instance, AT&T System V Unix' accounting> package includes acctcom(1), which will (by default) allow any user to> review the daily accounting data for any other user.  Many TCP/IP packa-> ges automatically install/run programs such as rwhod, fingerd, and> <occasionally> tftpd, all of which can present security problems.>> Careful system administration is the solution.  Most of these programs> are initialized/started at boot time; you may wish to modify your boot> scripts (usually in the /etc, /etc/rc, /etc/rcX.d directories) to pre-> vent their execution.  You may wish to remove some utilities completely.> For some utilities, a simple chmod(1) can prevent access from unauthorized> users.>> In summary, DON'T TRUST INSTALLATION SCRIPTS/PROGRAMS!  Such facilities> tend to install/run everything in the package without asking you.  Most> installation documentation includes lists of "the programs included in> this package"; be sure to review it.3) Incompatible Usage Security Holes- Where, through lack of experience, or no fault of his/her own, theSystem Manager assembles a combination of hardware and software whichwhen used as a system is seriously flawed from a security point of view.It is the incompatibility of trying to do two unconnected but usefulthings which creates the security hole.Problems like this are a pain to find once a system is set up andrunning, so it is better to build your system with them in mind.  It'snever too late to have a rethink, though.Some examples are detailed below; let's not go into them here, it wouldonly spoil the surprise.4) Choosing a suitable security philosophy and maintaining it.>From: Gene Spafford <spaf@cs.purdue.edu>>The fourth kind of security problem is one of perception and>understanding.  Perfect software, protected hardware, and compatible>components don't work unless you have selected an appropriate security>policy and turned on the parts of your system that enforce it.  Having>the best password mechanism in the world is worthless if your users>think that their login name backwards is a good password! Security is>relative to a policy (or set of policies) and the operation of a system>in conformance with that policy.---From: HackingSubject: Hacking IdeasDate: 11/10/93( Please contribute by sending E-Mail to <scott@santafe.edu> ... )[ Many ideas taken from: HaxNet - APG V1.3 : Guide to finding new holes]NOTE: I think this should be divided into general categories:1) General principles2) Looking for holes in src (most items here)3) Looking in binary distributions4) Looking in site specific configurations  The following general classifications suggest themselves:1) SUID/SGID2) Return codes/error conditions3) unexpected input4) race conditions5) authentication6) implicit trust7) parameters8) permissions9) interrupts10) I/O11) symbolic links12) Daemons, particularly those taking user input.13) Kernel race conditions14) what else? - please add categories(Suggested splitting of above into main and sub-catagories)I:   Suid binaries and scripts     unexpected user interactions     flawed liberary calls     implicit assumptions of external conditions (sym links, loc. paths)     race conditionsII:  daemons running with priviliged uid's     race conditions     poor file protectons     implicit file protections     trust     authenticationIII: Kernel problems     Kernel race conditions     device driver codeThe following four step method was created by System DevelopmentCorporation, who report a 65% success rate on the flaw hypothesesgenerated.  Doing a comprehensive search for operating system flawsrequires four steps:Step 1) Knowledge of system control structure.===============================================  To find security holes, and identifying design weaknesses it isnecessary to understand the system control structure, and layers.  One should be able to list the:A) security objects: items to be protected. ie: a users file.B) control objects: items that protect security objects. ie: a i-nodeC) mutual objects  : objects in both classes. ie: the password file  With such a list, it is possible to graphically represent a controlhierarchy and identify potential points of attack. Making flow chartsto give a visual breakdown of relationships definitely helps.  Reading the various users, operators, and administrators manuals shouldprovide this information.(following para's should probably be moved to a "legal" section)  Reading and greping source code should also prove valuable. For thosewithout a source licence, I would suggest we use LINUX, NET2, and BSD386distributions in order to stay legal. At some future time we may be ableto form a working contract between someone or a company with legal accessto other distributions and members actively participating in this project.  It appears that extracts of proprietary code may be used for academicstudy, so long as they are not reused in a commercial product - morechecking is necessary though.Step 2) Generate an inventory of suspected flaws. (i.e. flaw hypotheses)========================================================================In particular we want:  Code history:    What UNIX src does a particular flavor derive from? This is importantfor cross references (very often only one vendor patches certain code,which may get reused, in it's unpatched reincarnation by others)  A solid cross reference:    Who checked which bug in what OS and what version prevents us fromduplicating work.  A good start would be listing all the suid binaries on the various OSflavors/versions. Then try to work out why each program is suid. i.e.:    rcp is suid root because it must use a privilaged port to do user    name authentication.  Often code that was never designed to be suid, is made suid, durringporting to solve file access problems.  We need to develope a data base that will be able to look at pairs and